The process of booting a computing device prepares the computing device to perform useful tasks under control of an operating system. The initial application of power to the electronic circuitry of a computing device generally only renders the computing device capable of performing rudimentary tasks, such as fetching instructions embedded into hardware components of the computing device. Thus, the boot process executes those instructions, and initiates processes that enable a computing device to perform more complex tasks. However, because the boot process performs operations prior to the execution of the operating system and any other software whose execution utilizes the operating system, malicious code executed during the boot process can remain undetected but can affect the ongoing execution properties of the system.
To provide protection against malicious code introduced into a computing device before the operating system or other software is loaded, the notion of a “trusted computer” was developed whereby the state of the computing device could be ascertained by subsequently executed software. To that end, a “Trusted Platform Module” (TPM) chip was added to the computing device, which could maintain values in a secure manner and, could be used to ascertain if the computer had booted properly. In particular, the TPM chip comprises registers known as “Platform Configuration Registers” (PCRs) that store values that uniquely identify measurements of the system that have been taken since power was applied to the circuitry of the computing device. These measurements are indicative of the software that is executed during the boot process and of the presence and configuration of various hardware components. If the proper measurements were made in the correct order, then the PCRs of the TPM would contain unique values that could be used to verify that the computing device did indeed boot in a recognizable way. If the measurements are recognized to represent a computer that has booted in a trusted way, then the machine is in a trusted state when it begins executing the operating system software. In such a manner, malicious code in the boot sequence can be detected.
However, such a basic notion of a “trusted computer” is based on an assumption that the computing device to be protected is the user's own computing device, or is within the control of the user or someone the user trusts. An unknown computing device, such as a computing device at an internet café or at an airport kiosk cannot be trusted by a user merely because the PCRs of a TPM present within such a computing device match expected values. As an initial matter, without maintaining some element of control over the physical computing device itself, the user cannot be certain that the TPM itself has not been tampered with. Secondly, the user, using such a computing device for the first time, cannot be certain of what values of the PCRs are appropriate for such a computing device. Consequently, users are often cautioned against performing computing tasks directed towards sensitive or secure information with a public, or otherwise unknown, computing device.
To enable remote verification of unknown computing devices, such as within the context of joining a protected network, a computing device guarding the network can request, and receive, information from the unknown computing device that can enable the guarding computing device to ascertain the trustworthiness of the unknown computing device. In particular, each TPM can comprise an “endorsement key” that can be a standard RSA key having both public (EKpublic) and private (EKprivate) portions. The owner of the computing device can create an endorsement key certificate (EKcertificate) over EKpublic, that can include information about the computing device, such as its manufacturer, its model designation, and the like. The indicated manufacturer, or downstream signing authority, can act as a root of trust anchor that can enable the creation of a trust relationship between the unknown computing device and a guardian computing device, or another computing device acting as a proxy for the guardian computing device, such as a trusted Privacy Certificate Authority (PCA).
To establish such a trust relationship, a process on the unknown computing device seeking to establish the trust relationship can request the TPM on that computing device to create an Attestation Identity Key (AIK), which can also be a standard RSA key. The TPM can create the AIK, but can not let the requesting process use it until, for example, a trust relationship has been established with a PCA. Instead, the TPM can provide, to the requesting process, a bundle of data, often referred to as a “data blob”, comprising the public key of the AIK (AIKpublic) and a nonce to guard against spoofing, all of which can be signed by the private key of the AIK (AIKprivate). The requesting process can provide this data blob to the PCA, together with the EKcertificate, and can request validation by the PCA. If the EKcertificate has been signed by an entity that the PCA trusts, or if the EKpublic contained in the EKcertificate is an EKpublic that the PCA recognizes as originating from an authentic TPM, the PCA can certify the AIK by issuing a certificate (AIKcertificate). Because the AIKcertificate can be quite large, the PCA can encrypt it using a symmetric key, thereby generating a smaller representation of it. The PCA can also generate a digest of AIKpublic and encrypt all of that with EKpublic. The resulting data blob is commonly referred to as the “EK activation blob.”
The PCA can return the EK activation blob to the requesting process on the unknown computing device. The requesting process can, in turn, provide the EK activation blob to the TPM on the untrusted computing device, and request that the TPM unlock the identity associated with the AIK. If the TPM can decrypt the EK activation blob, which it should be able to do, since it should be in possession of EKprivate, then the TPM can check the digest of AIKpublic that was created by the PCA against the symmetric key that was used. If the digest received matches the digest as determined by the TPM, the TPM can provide the symmetric key to the requesting process, which can then, in turn, decrypt the AIKcertificate. With the AIK certificate, the requesting process on the unknown computing device can establish a trust relationship with another computing device, such as a guardian computing device, that trusts the PCA. The unknown computing device can, thereby, become a trusted computing device.
Unfortunately, a user seeking to use an untrusted computing device, such as a public kiosk or a computing device at an internet café, may not be able to establish independent communication with a certifying authority and may not, therefore, be able to avail themselves of the above described mechanisms. Consequently, such a user still cannot use the unknown, and untrusted, computing device for any manner of secure computation.